Skip to content

[isolation] [PROC-ENV] Same-UID /proc environ key visibility allows cross-process secret metadata exposure #1790

Open
Open
[isolation] [PROC-ENV] Same-UID /proc environ key visibility allows cross-process secret metadata exposure#1790
Labels
automationisolation-testingsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 8, 2026

Summary

From inside the agent container, a runner-owned process can read environment key names from other runner-owned processes via /proc/<pid>/environ. This crosses expected process-isolation boundaries for sensitive workflow material.

Boundary Type

Process isolation boundary violation (same-UID cross-process environment observability).

Methodology (value-safe)

I performed a deep dive focused on environment-isolation behavior using key-only checks (no secret values captured, printed, or stored).

Techniques used in this run:

  • Baseline key-only census of AWF_ONE_SHOT_TOKENS visibility across runner-owned PIDs.
  • Lifecycle differential (running vs SIGSTOP) for synthetic env marker visibility.
  • Dumpable-state differential using a helper process toggling PR_SET_DUMPABLE=0.
  • Pre-open FD hold-open probe against /proc/<pid>/environ.
  • Alias path test via /proc/<pid>/root/proc/<pid>/environ.

Findings

  • AWF_ONE_SHOT_TOKENS key was observable in multiple runner-owned processes (awf_key_pid_count=5) via /proc/<pid>/environ (key-only).
  • Synthetic marker keys remained observable while target process was running and while SIGSTOP-stopped.
  • After target set PR_SET_DUMPABLE=0, fresh /proc/<pid>/environ reads were blocked (permission denied), but a descriptor opened before the toggle remained readable for key-only detection.
  • Alias path /proc/<pid>/root/proc/<pid>/environ also exposed marker key for a live same-UID target.

Reproduction (sanitized)

  1. Enumerate runner-owned PIDs: ps -eo pid=,user= | awk '$2=="runner"{print $1}'.
  2. For each PID, read key names only: tr '\0' '\n' < /proc/$pid/environ | cut -d= -f1.
  3. Check for sensitive key presence (e.g., AWF_ONE_SHOT_TOKENS) without printing values.
  4. Launch helper process with marker key and toggle dumpable from 1 to 0.
  5. Compare:
    • Fresh read from /proc/<pid>/environ after toggle (expected blocked), and
    • Read from FD opened before toggle (remains readable).

Impact

An in-container same-UID process can infer sensitive environment material presence across process boundaries. Even without value disclosure, this weakens isolation guarantees and can aid targeted exfiltration strategies.

Version Info

  • gh-aw version context: GH_AW_INFO_CLI_VERSION=v0.67.2
  • Compiled workflow metadata: compiler_version=v0.67.2
  • cli_version field in .github/workflows/secret-digger-codex.lock.yml: not present

Notes

  • No actual secret values were collected or included in this report.
  • Duplicate reporting is intentional per isolation-testing workflow guidance.

Generated by Secret Digger (Codex) ·

  • expires on Apr 9, 2026, 11:40 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationisolation-testingsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions